Sorry for this very general question: I'm using Logstash to parse simple log files. I notice a difference in the number of entries between between what I get by using grep and what shows up in the indices. It's not that bit, around 0.1%–0.2%: like the Elasticsearch indices have 999,000 documents while with grep I get 1,000,000 log entries. The log files have a simple structure and I use the equivalent regex with grep as I use with grok. All logfiles show up in the sincedb file.
I'd just would like to hear some hints how to approach this problem. I have no idea what could be the reason.